1 / 32

Cryptosystems Based on Discrete Logarithms

Cryptosystems Based on Discrete Logarithms. Outline. [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm A trivial algorithm Shanks’ algorithm (Baby-step Giant-step) Pollard’s algorithm Pohlig-Hellman algorithm Adleman’s algorithm (the index calculus method)

adangelo
Download Presentation

Cryptosystems Based on Discrete Logarithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptosystems Based on Discrete Logarithms

  2. Outline • [1] Discrete Logarithm Problem • [2] Algorithms for Discrete Logarithm • A trivial algorithm • Shanks’ algorithm (Baby-step Giant-step) • Pollard’s algorithm • Pohlig-Hellman algorithm • Adleman’s algorithm (the index calculus method) • [3] Cryptosystems Based on Discrete Logarithm • Key distribution • Encryption • Digital signature

  3. [1] Discrete Logarithm Problem • Let G be a finite multiplicative group (G, *). For an element α G having order n, define. <α> = {αi | i = 0, 1, 2, …, n-1} Then <α> is a subgroup of G, and <α> is cyclic of order n. • Discrete logarithm problem

  4. Discrete Logarithm Problem • Example 1G = Z*19 = { 1, 2, …, 18}n=18, generator g = 2then log214 = 7 log26 = 14

  5. Discrete Logarithm Problem • Example 2 In Z*11 = { 1, 2, …, 10} Let G= <3> ={1, 3, 9, 5, 4}, n=5, 3 is not a generator of Z*11 but a generator of G.log35 = 3

  6. Discrete Logarithm Problem • Example 3G=GF*(23) with irreducible poly. p(x) = x3 + x +1G=Zp*/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 }n=7, generator g = xthen logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6

  7. Discrete Logarithm Problem • Example 4Let p =1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359 NB: p = 158(2800 + 25) + 1 and has 807 bits. • Find such that

  8. [2] Algorithms for Discrete Logarithm • A trivial algorithm • Shanks’ algorithm (Baby-step giant-step) • Pollard rho discrete log algorithm • Pohlig-Hellman algorithm • The index calculus method

  9. A trivial algorithm • Discrete Logarithm Problem in Zp*given generator α (i.e. <α>= Zp*) and β in Zp* , find a in Zp-1={0,1,…,p-2} s.t. β = αa mod p • A trivial algorithm • Compute αi and test if β = αi • Time complexity O(p)

  10. Shanks’ algorithm • Shanks’ algorithm (Baby-step giant-step) (1972) • Compute L1 = {(i, αmi), i = 0, 1, …, m-1} L2 = {(i, βα-i), i = 0, 1, …, m-1} • where m = ceiling((p-1)½) Sort L1 and L2 with respect to the 2nd coordinate. • Find the same 2nd coordinate from L1 and L2, say, (q, αmq), (r, βα-r), to get αmq =βα-r. So β = αmq + r and a = mq+r. • Time complexity O(m log m) = O(p1/2 log p) • Space complexity O(p 1/2)

  11. Example 1 log215 mod 19 =? G = Z*19 = { 1, 2, …, 18}α = 2, α-1 = 10, n = p-1 = 18, m = 5, αm = 13 β = 15 L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 15) (1, 13) (1, 17) q = 2 (2, 17) (2, 18) r = 1 (3, 12) (3, 9) mq + r = 11 (4, 4) (4, 14) log215 mod 19 = 11

  12. Example 2 log3525 mod 809 =? G = Z*809 = { 1, 2, …, 808} = <3>α = 3, α-1 = 10, n = p-1 = 808, m = 29, αm = 99 β = 525 L1: (i, αmi) L2: (i, βα-i) (0, 1) (0, 525) (1, 99) (1, 175) (2, 93) (2, 328) (3, 308) (3, 379) (4, 559) (4, 396) (5, 329) (5, 132) (6, 211) (6, 44) (7, 664) (7, 554) (8, 207) (8, 724) (9, 268) (9, 511) (10, 644) (10, 440) (11, 654) (11, 686) (12, 26) (12, 768)

  13. L1: (i, αmi) L2: (i, βα-i) (13, 147) (13, 256) (14, 800) (14, 355) (15, 727) (15, 388) (16, 781) (16, 399) (17, 464) (17, 133) (18, 632) (18, 314) (19, 275) (19, 644) (20, 528) (20, 754) (21, 496) (21, 521) (22, 564) (22, 713) (23, 15) (23,777) (24, 676) (24, 259) (25, 586) (25, 356) (26, 575) (26, 658) (27, 295) (27, 489) (28, 81) (28, 163) q = 10, r = 19, so mq + r = 29*10+19 mod 808 = 309 and log3525 mod 809 = 309

  14. Pollard rho DL algorithm • Pollard rho discrete logarithm algorithm (1978)compute integers s and t such that • partition the group G into three roughly equal-sized set S1 , S2 and S3 . Let x0 = 1G and x0 is not in S2

  15. where n = p-1 when G = Z*p

  16. We should expect some integer such that , then this gives with If then compute and we have , so that If little work to do... (Omitted)

  17. Floyd’s cycle-finding algorithm: One starts with the pair (x1, x2), and iteratively computes (xi, x2i) from the previous (xi-1, x2i-2), until xm=x2m for some m. The expected running time of this method is O(n1/2).

  18. Pollard’s rho algorithm for discrete logarithms • INPUT: a generator α of a cyclic group G of prime ordern, and β is an element of G • OUTPUT: 1. Set x0 1, a0  0, b0  0 2. For i = 1, 2, …. Do the following: 2.1 Use xi-1, ai-1, bi-1 to compute xi, ai, bi Use x2i-2, a2i-2, b2i-2 to compute x2i, a2i, b2i 2.2 if xi=x2i, then do the following set r  bi – b2i if gcd(r,n) ≠1 then return ‘failure’ else return r-1(a2i-ai) mod n

  19. Example:α= 2 is a generator of the subgroup G of Z383* of order n= 191.(in this case <α> = G ≠ Z383* ) Suppose β = 228. Find log2228. Solution: Partition G into 3 subsets, let

  20. Solution (continued): From the table, we have x14 = x28 = 144. Finally compute r = a14-a28 mod 191=125 r-1 = 125-1 mod 191 = 136, and r-1(b28 - b14) mod 191 = 110. Hence, log2228 = 110.

  21. Pohlig-Hellman algorithm • Pohlig-Hellman algorithm (1978) If <α> is of order n and β in <α> then a = logαβ is determined (uniquely) mod n. Eg. If <α> = Zp* (i.e. α is a generator of Zp*), then n = p-1 Let The idea of Pohlig-Hellman algorithm is that we can compute a mod picifor each i, then we compute a mod n by CRT (Chinese remainder theorem). (see Text for details)

  22. The index calculus method • The index calculus method (Suitable only for G=Zp*)

  23. Example log59451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log55=1. Use lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33 59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006 log52 + 3 log53 = 5136 mod 10006 3 log53 + log57 = 9865 mod 10006

  24. There happens to be a unique solution modulo 10006 • log52=6578, log53=6190, and log57=1301 • Choose random exponent s = 7736 and try to calculate • βαs = 9451*57736 mod 10007 = 8400 • Since 8400 = 24*3*52*7 factors over B, we obtain • log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006 • = (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006 • = 6057 mod 10006

  25. [3] Cryptosystems based on DL • Key Distribution • Diffie-Hellman, 1976 • Encryption • Massey-Omura cryptosystem, 1983 • Digital Signature • ElGamal, 1985

  26. Diffie-Hellman Key Exchange Algorithm • Global Public Elements • q : prime number • α: α< q and α is a primitive root of q • User A Key Generation • Select private XA : XA< q • Calculate public YA : YA= αXA mod q • User B Key Generation • Select private XB : XB< q • Calculate public YB : YB= αXB mod q • Generation of Secret Key by User A • K = (YB)XA mod q • Generation of Secret Key by User B • K = (YA)XB mod q

  27. User A User B Generate random XA < q ; Calculate YA = αXA mod q Calculate K = (YB)XA mod q Generate random XB < q ; Calculate YB = αXB mod q Calculate K = (YA)XB mod q YA YB Diffie-Hellman Key Exchange

  28. Massey-Omura for message transmission • Parameters • q : prime number • e : a random private integer • 0 < e< q and gcd ( e, q-1) = 1 • d : an inverse of e • d = e-1 mod q-1 , i.e., de≡1 mod q-1 • M : a message to be encrypted and decrypted • User A wants to send a message M to User B • User A : eA and dA are both private • User B : eB and dBare both private

  29. User A User B 1.Encryption(1) C1 = M eA mod q 3.Encryption(3) C3 = C2dA = (M eAeB)dA = M eB mod q 2.Encryption(2) C2 = C1eB = M eAeB mod q 4. Decryption M = C3dB = M eBdBmod q C1 C2 C3 Massey-Omura for message transmission

  30. ElGamal encryption scheme • Parameters • p : a large prime • α: a generator in Zp* • a : a private key, a [1, p-1] • c : a public key , β = αa(mod p) • m : a message, m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • K = (p, α, a, β) : public key + private key • Encryption eK(m, k)=(y1, y2) where y1= αkmodpand y2=mβkmod p • Decryption m = dK(y1, y2) = y2(y1a)-1 mod p

  31. ElGamal signature scheme • 1985 ElGamal • Parameters • p : a large prime • α: a generator in Zp* • a : a private key, a [1, p-1] • β : a public key , β = αa(mod p) • m : a message to be signed , m [1, p-1] • k : a random integer that is privately selected, k [0, p-2] • Signature • r = αkmod p, where gcd( k, p-1 ) = 1 • m = ks + ra mod (p-1) • ( m , (r,s) ) is sent to the verifier • Verification • αm = rsβr mod p • The signature (r,s) is accepted when the equality holds true.

More Related